Martin Ekerå

2024-09-14

Abstract:We heuristically show that Shor's algorithm for computing general discrete logarithms achieves an expected success probability of approximately 60% to 82% in a single run when modified to enable efficient implementation with the semi-classical Fourier transform. By slightly increasing the number of group operations that are evaluated quantumly and performing a single limited search in the classical post-processing, or by performing two limited searches in the post-processing, we show how the algorithm can be further modified to achieve a success probability that heuristically exceeds 99% in a single run. We provide concrete heuristic estimates of the success probability of the modified algorithm, as a function of the group order $r$, the size of the search space in the classical post-processing, and the additional number of group operations evaluated quantumly. In the limit as $r \rightarrow \infty$, we heuristically show that the success probability tends to one. In analogy with our earlier works, we show how the modified quantum algorithm may be heuristically simulated classically when the logarithm $d$ and $r$ are both known. Furthermore, we heuristically show how slightly better tradeoffs may be achieved, compared to our earlier works, if $r$ is known when computing $d$. We generalize our heuristic to cover some of our earlier works, and compare it to the non-heuristic analyses in those works.

Cryptography and Security,Quantum Physics

Martin Ekerå,Johan Håstad

DOI: https://doi.org/10.1007/978-3-319-59879-6_20

2017-02-01

Abstract:In this paper we generalize the quantum algorithm for computing short discrete logarithms previously introduced by Ekerå so as to allow for various tradeoffs between the number of times that the algorithm need be executed on the one hand, and the complexity of the algorithm and the requirements it imposes on the quantum computer on the other hand. Furthermore, we describe applications of algorithms for computing short discrete logarithms. In particular, we show how other important problems such as those of factoring RSA integers and of finding the order of groups under side information may be recast as short discrete logarithm problems. This immediately gives rise to an algorithm for factoring RSA integers that is less complex than Shor's general factoring algorithm in the sense that it imposes smaller requirements on the quantum computer. In both our algorithm and Shor's algorithm, the main hurdle is to compute a modular exponentiation in superposition. When factoring an n bit integer, the exponent is of length 2n bits in Shor's algorithm, compared to slightly more than n/2 bits in our algorithm.

Cryptography and Security,Quantum Physics

Xia Liu,Huan Yang,Li Yang

DOI: https://doi.org/10.1186/s42400-023-00181-w

2023-01-01

Abstract:The elliptic curve discrete logarithm problem (ECDLP) is a popular choice for cryptosystems due to its high level of security. However, with the advent of the extended Shor's algorithm, there is concern that ECDLP may soon be vulnerable. While the algorithm does offer hope in solving ECDLP, it is still uncertain whether it can pose a real threat in practice. From the perspective of the quantum circuits of the algorithm, this paper analyzes the feasibility of cracking ECDLP using an ion trap quantum computer with improved quantum circuits for the extended Shor's algorithm. We give precise quantum circuits for extended Shor's algorithm to calculate discrete logarithms on elliptic curves over prime fields, including modular subtraction, three different modular multiplication, and modular inverse. Additionally, we incorporate and improve upon windowed arithmetic in the circuits to reduce the CNOT-counts. Whereas previous studies mostly focused on minimizing the number of qubits or the depth of the circuit, we focus on minimizing the number of CNOT gates in the circuit, which greatly affects the running time of the algorithm on an ion trap quantum computer. Specifically, we begin by presenting implementations of basic arithmetic operations with the lowest known CNOT-counts, along with improved constructions for modular inverse, point addition, and windowed arithmetic. Next, we precisely estimate that, to execute the extended Shor's algorithm with the improved circuits to factor an n-bit integer, the CNOT-count required is 1237n(3)/ log n + 2n(2) + n. Finally, we analyze the running time and feasibility of the extended Shor's algorithm on an ion trap quantum computer.

Cédric Pilatte

2024-04-25

Abstract:In 1994, Shor introduced his famous quantum algorithm to factor integers and compute discrete logarithms in polynomial time. In 2023, Regev proposed a multi-dimensional version of Shor's algorithm that requires far fewer quantum gates. His algorithm relies on a number-theoretic conjecture on the elements in $(\mathbb{Z}/N\mathbb{Z})^{\times}$ that can be written as short products of very small prime numbers. We prove a version of this conjecture using tools from analytic number theory such as zero-density estimates. As a result, we obtain an unconditional proof of correctness of this improved quantum algorithm and of subsequent variants.

Number Theory,Computational Complexity,Quantum Physics

John Proos,Christof Zalka

DOI: https://doi.org/10.48550/arXiv.quant-ph/0301141

2004-01-23

Abstract:We show in some detail how to implement Shor's efficient quantum algorithm for discrete logarithms for the particular case of elliptic curve groups. It turns out that for this problem a smaller quantum computer can solve problems further beyond current computing than for integer factorisation. A 160 bit elliptic curve cryptographic key could be broken on a quantum computer using around 1000 qubits while factoring the security-wise equivalent 1024 bit RSA modulus would require about 2000 qubits. In this paper we only consider elliptic curves over GF($p$) and not yet the equally important ones over GF($2^n$) or other finite fields. The main technical difficulty is to implement Euclid's gcd algorithm to compute multiplicative inverses modulo $p$. As the runtime of Euclid's algorithm depends on the input, one difficulty encountered is the ``quantum halting problem''.

Quantum Physics

Muhammad Imran,Gábor Ivanyos

2023-12-22

Abstract:The semidirect discrete logarithm problem (SDLP) is the following analogue of the standard discrete logarithm problem in the semidirect product semigroup $G\rtimes \mathrm{End}(G)$ for a finite semigroup $G$. Given $g\in G, \sigma\in \mathrm{End}(G)$, and $h=\prod_{i=0}^{t-1}\sigma^i(g)$ for some integer $t$, the SDLP$(G,\sigma)$, for $g$ and $h$, asks to determine $t$. As Shor's algorithm crucially depends on commutativity, it is believed not to be applicable to the SDLP. Previously, the best known algorithm for the SDLP was based on Kuperberg's subexponential time quantum algorithm. Still, the problem plays a central role in the security of certain proposed cryptosystems in the family of \textit{semidirect product key exchange}. This includes a recently proposed signature protocol called SPDH-Sign. In this paper, we show that the SDLP is even easier in some important special cases. Specifically, for a finite group $G$, we describe quantum algorithms for the SDLP in $G\rtimes \mathrm{Aut}(G)$ for the following two classes of instances: the first one is when $G$ is solvable and the second is when $G$ is a matrix group and a power of $\sigma$ with a polynomially small exponent is an inner automorphism of $G$. We further extend the results to groups composed of factors from these classes. A consequence is that SPDH-Sign and similar cryptosystems whose security assumption is based on the presumed hardness of the SDLP in the cases described above are insecure against quantum attacks. The quantum ingredients we rely on are not new: these are Shor's factoring and discrete logarithm algorithms and well-known generalizations.

Cryptography and Security,Computational Complexity,Quantum Physics

Martin Ekerå,Joel Gärtner

DOI: https://doi.org/10.1007/978-3-031-62746-0_10

2024-01-30

Abstract:Regev recently introduced a quantum factoring algorithm that may be perceived as a $d$-dimensional variation of Shor's factoring algorithm. In this work, we extend Regev's factoring algorithm to an algorithm for computing discrete logarithms in a natural way. Furthermore, we discuss natural extensions of Regev's factoring algorithm to order finding, and to factoring completely via order finding. For all of these algorithms, we discuss various practical implementation considerations, including in particular the robustness of the post-processing.

Cryptography and Security,Quantum Physics

Christopher Battarbee,Delaram Kahrobaei,Ludovic Perret,Siamak F. Shahandashti

2024-06-07

Abstract:Group-based cryptography is a relatively unexplored family in post-quantum cryptography, and the so-called Semidirect Discrete Logarithm Problem (SDLP) is one of its most central problems. However, the complexity of SDLP and its relationship to more well-known hardness problems, particularly with respect to its security against quantum adversaries, has not been well understood and was a significant open problem for researchers in this area. In this paper we give the first dedicated security analysis of SDLP. In particular, we provide a connection between SDLP and group actions, a context in which quantum subexponential algorithms are known to apply. We are therefore able to construct a subexponential quantum algorithm for solving SDLP, thereby classifying the complexity of SDLP and its relation to known computational problems.

Cryptography and Security,Group Theory,Quantum Physics

Minki Hhan,Takashi Yamakawa,Aaram Yun

DOI: https://doi.org/10.1007/978-3-031-68391-6_1

2024-10-22

Abstract:This paper studies the quantum computational complexity of the discrete logarithm (DL) and related group-theoretic problems in the context of generic algorithms -- that is, algorithms that do not exploit any properties of the group encoding. We establish a generic model of quantum computation for group-theoretic problems, which we call the quantum generic group model. Shor's algorithm for the DL problem and related algorithms can be described in this model. We show the quantum complexity lower bounds and almost matching algorithms of the DL and related problems in this model. More precisely, we prove the following results for a cyclic group $G$ of prime order. - Any generic quantum DL algorithm must make $\Omega(\log |G|)$ depth of group operations. This shows that Shor's algorithm is asymptotically optimal among the generic quantum algorithms, even considering parallel algorithms. - We observe that variations of Shor's algorithm can take advantage of classical computations to reduce the number of quantum group operations. We introduce a model for generic hybrid quantum-classical algorithms and show that these algorithms are almost optimal in this model. Any generic hybrid algorithm for the DL problem with a total number of group operations $Q$ must make $\Omega(\log |G|/\log Q)$ quantum group operations of depth $\Omega(\log\log |G| - \log\log Q)$. - When the quantum memory can only store $t$ group elements and use quantum random access memory of $r$ group elements, any generic hybrid algorithm must make either $\Omega(\sqrt{|G|})$ group operations in total or $\Omega(\log |G|/\log (tr))$ quantum group operations. As a side contribution, we show a multiple DL problem admits a better algorithm than solving each instance one by one, refuting a strong form of the quantum annoying property suggested in the context of password-authenticated key exchange protocol.

Quantum Physics,Cryptography and Security

Richard Jozsa

DOI: https://doi.org/10.1109/5992.909000

2000-12-17

Abstract:Amongst the most remarkable successes of quantum computation are Shor's efficient quantum algorithms for the computational tasks of integer factorisation and the evaluation of discrete logarithms. In this article we review the essential ingredients of these algorithms and draw out the unifying generalization of the so-called abelian hidden subgroup problem. This involves an unexpectedly harmonious alignment of the formalism of quantum physics with the elegant mathematical theory of group representations and fourier transforms on finite groups. Finally we consider the non-abelian hidden subgroup problem mentioning some open questions where future quantum algorithms may be expected to have a substantial impact.

Quantum Physics

Yan Huang,Zhaofeng Su,Fangguo Zhang,Yong Ding,Rong Cheng

DOI: https://doi.org/10.1007/s11128-019-2562-5

IF: 1.965

2020-01-01

Quantum Information Processing

Abstract:The discrete logarithm problem (DLP) plays an important role in modern cryptography since it cannot be efficiently solved on a classical computer. Currently, the DLP based on the hyperelliptic curve of genus 2 (HCDLP) is widely used in industry and also a research field of hot interest. At the same time, quantum computing, a new paradigm for computing based on quantum mechanics, provides the ability to solve certain hard problems that cannot be efficiently solved on classical computers. In this paper, we consider the problem of solving the HCDLP in the paradigm of quantum computing. We propose a quantum algorithm for solving the HCDLP by applying the framework of quantum algorithm designed by Shor. The key of the algorithm is the realization of divisor addition. We solve the key problem and get analytical results for divisor addition by geometric meaning of the group addition. Therefore, the procedure can be efficiently realized on a quantum computer using the basic modular arithmetic operations. Finally, we conclude that the HCDLP defined over an n-bit prime field \(\mathbb {F}_{p}\) can be computed on a quantum computer with at most \(13n+2\lfloor \log _{2}n\rfloor +10\) qubits using \(2624n^{3} \log _{2}n-2209.2n^{3} + 1792n^{2} \log _{2}n-3012.8n^{2}\) Toffoli gates. For current parameters at comparable classical security levels, there are fewer qubits and Toffoli gates to solve the HCDLP than the ones to solve the DLP based on elliptic curves.

Lior Rotem,Gil Segev

DOI: https://doi.org/10.1007/s00145-024-09506-5

2024-06-08

Journal of Cryptology

Abstract:The Schnorr identification and signature schemes have been among the most influential cryptographic protocols of the past 3 decades. Unfortunately, although the best-known attacks on these two schemes are via discrete logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the "square-root barrier." In particular, in any group of order p where Shoup's generic hardness result for the discrete logarithm problem is believed to hold (and is thus used for setting concrete security parameters), the best-known t -time attacks on the Schnorr identification and signature schemes have success probability , whereas existing proofs of security only rule out attacks with success probabilities and , respectively, where denotes the number of random oracle queries issued by the attacker. We establish tighter security guarantees for identification and signature schemes which result from -protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr's schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is " d -moment hard": The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the d th moment of the algorithm's running time. In the concrete context of the discrete logarithm problem, already Shoup's original proof shows that the discrete logarithm problem is 2-moment hard in the generic group model, and thus, our assumption can be viewed as a highly plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the 2-moment hardness of the discrete logarithm problem, any t -time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most and , respectively.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Duyal Yolcu

2023-03-18

Abstract:The textbook adversary bound for function evaluation states that to evaluate a function $f\colon D\to C$ with success probability $\frac{1}{2}+\delta$ in the quantum query model, one needs at least $\left( 2\delta -\sqrt{1-4\delta^2} \right) Adv(f)$ queries, where $Adv(f)$ is the optimal value of a certain optimization problem. For $\delta \ll 1$, this only allows for a bound of $\Theta\left(\delta^2 Adv(f)\right)$ even after a repetition-and-majority-voting argument. In contrast, the polynomial method can sometimes prove a bound that doesn't converge to $0$ as $\delta \to 0$. We improve the $\delta$-dependent prefactor and achieve a bound of $2\delta Adv(f)$. The proof idea is to "turn the output condition into an input condition": From an algorithm that transforms perfectly input-independent initial to imperfectly distinguishable final states, we construct one that transforms imperfectly input-independent initial to perfectly distinguishable final states in the same number of queries by projecting onto the "correct" final subspaces and uncomputing. The resulting $\delta$-dependent condition on initial Gram matrices, compared to the original algorithm's condition on final Gram matrices, allows deriving the tightened prefactor.

Quantum Physics,Computational Complexity

Ann Dooms,Carlo Emerencia

DOI: https://doi.org/10.1016/j.jisa.2024.103923

IF: 4.96

2024-11-29

Journal of Information Security and Applications

Abstract:The security of widely-used public-key cryptographic protocols like RSA, Diffie–Hellman key exchange and the Digital Signature Algorithm (DSA) is under threat due to the emergence of quantum computers. Shor's groundbreaking quantum algorithm poses a significant risk by efficiently factoring large integers into their prime factors, compromising RSA security. Additionally, it solves the Discrete Logarithm Problem, impacting certain Diffie–Hellman-based cryptosystems and digital signatures. Given this, it is imperative to enhance our current cryptographic tools for the post-quantum era, aiming to make it impractical, even with quantum algorithms, to breach the security of new cryptosystems. Prominent alternatives include elliptic curve and lattice-based cryptography, with exploration into other algebraic systems featuring difficult problems to ensure security. This paper establishes that systems based on the difficulty of inverting group ring elements are not quantum-resistant.

computer science, information systems

Yuqing Zhu,Jincheng Zhuang,Hairong Yi,Chang Lv,Dongdai Lin

DOI: https://doi.org/10.1007/s10623-018-0492-3

2018-01-01

Abstract:The discrete logarithm problem (DLP) in a group is a fundamental assumption that underpins the security of many systems. Hence evaluating its hardness is important. For efficient implementation of cryptographic algorithms, sometimes groups with additional structures are preferred. However, these structures may be used to obtain faster attacks. By using equivalence classes, Galbraith and Ruprai proposed a faster algorithm to solve the DLP in an interval of size N, with expected running time of \(1.361\sqrt{N}\) group operations. Liu generalized their algorithm to the 2-dimensional case, which required \(1.450\sqrt{N}\) group operations. Further, for an elliptic curve with an efficiently computable endomorphism, Liu reduced the complexity to \(1.026\sqrt{N}\). In this paper, we propose a variant of the Galbraith–Ruprai algorithm. This variant has average-case asymptotic complexity close to \(1.253\sqrt{N}\) for sufficiently large N. For certain practical parameters, the complexity is \(1.275\sqrt{N}\) in the 1-dimensional case and \(1.393\sqrt{N}\) in the 2-dimensional case. Then we extend the algorithm for the case of larger equivalence classes. In particular, for the 2-dimensional DLP in a rectangle on an elliptic curve with an efficiently computable endomorphism, we reduce the complexity to \(0.985\sqrt{N}\) for certain fixed parameters. We also discuss some possible further improvements.

Léo Ducas,Maxime Plançon,Benjamin Wesolowski

DOI: https://doi.org/10.1007/978-3-030-26948-7_12

2019-01-01

Abstract:The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard as the analog problem for general lattices (SVP), even when considering quantum algorithms.But in the last few years, a series of works has lead to a quantum algorithm for Ideal-SVP that outperforms what can be done for general SVP in certain regimes. More precisely, it was demonstrated (under certain hypotheses) that one can find in quantum polynomial time a vector longer by a factor at most documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$alpha = exp ({widetilde{O}(n^{1/2})})$$end{document} than the shortest non-zero vector in a cyclotomic ideal lattice, where n is the dimension.In this work, we explore the constants hidden behind this asymptotic claim. While these algorithms have quantum steps, the steps that impact the approximation factor documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$alpha $$end{document} are entirely classical, which allows us to estimate it experimentally using only classical computing. Moreover, we design heuristic improvements for those steps that significantly decrease the hidden factors in practice. Finally, we derive new provable effective lower bounds based on volumetric arguments.This study allows to predict the crossover point with classical lattice reduction algorithms, and thereby determine the relevance of this quantum algorithm in any cryptanalytic context. For example we predict that this quantum algorithm provides shorter vectors than BKZ-300 (roughly the weakest security level of NIST lattice-based candidates) for cyclotomic rings of rank larger than about 24000.

Júlia Barberà-Rodríguez,Nicolas Gama,Anand Kumar Narayanan,David Joseph

2024-11-08

Abstract:Lattice-based cryptography has emerged as one of the most prominent candidates for post-quantum cryptography, projected to be secure against the imminent threat of large-scale fault-tolerant quantum computers. The Shortest Vector Problem (SVP) is to find the shortest non-zero vector in a given lattice. It is fundamental to lattice-based cryptography and believed to be hard even for quantum computers. We study a natural generalization of the SVP known as the $K$-Densest Sub-lattice Problem ($K$-DSP): to find the densest $K$-dimensional sub-lattice of a given lattice. We formulate $K$-DSP as finding the first excited state of a Z-basis Hamiltonian, making $K$-DSP amenable to investigation via an array of quantum algorithms, including Grover search, quantum Gibbs sampling, adiabatic, and Variational Quantum Algorithms. The complexity of the algorithms depends on the basis through which the input lattice is presented. We present a classical polynomial-time algorithm that takes an arbitrary input basis and preprocesses it into inputs suited to quantum algorithms. With preprocessing, we prove that $O(KN^2)$ qubits suffice for solving $K$-DSP for $N$ dimensional input lattices. We empirically demonstrate the performance of a Quantum Approximate Optimization Algorithm $K$-DSP solver for low dimensions, highlighting the influence of a good preprocessed input basis. We then discuss the hardness of $K$-DSP in relation to the SVP, to see if there is reason to build post-quantum cryptography on $K$-DSP. We devise a quantum algorithm that solves $K$-DSP with run-time exponent $(5KN\log{N})/2$. Therefore, for fixed $K$, $K$-DSP is no more than polynomially harder than the SVP.

Quantum Physics,Computational Complexity,Cryptography and Security

Carl A. Miller

2024-10-09

Abstract:An experimental cryptographic proof of quantumness will be a vital milestone in the progress of quantum information science. Error tolerance is a persistent challenge for implementing such tests: we need a test that not only can be passed by an efficient quantum prover, but one that can be passed by a prover that exhibits a certain amount of computational error. (Brakerski et al. 2018) introduced an innovative two-round proof of quantumness based on the Learning With Errors (LWE) assumption. However, one of the steps in their protocol (the pre-image test) has low tolerance for error. In this work we present a proof of quantumness which maintains the same circuit structure as (Brakerski et al. 2018) while improving the robustness for noise. Our protocol is based on cryptographically hiding an extended Greenberger-Horne-Zeilinger (GHZ) state within a sequence of classical bits. Asymptotically, our protocol allows the total probability of error within the circuit to be as high as $1 - O ( \lambda^{-C} )$, where $\lambda$ is the security parameter and $C$ is a constant that can be made arbitrarily large. As part of the proof of this result, we also prove an uncertainty principle over finite abelian groups which may be of independent interest.

Quantum Physics

Manisha J. Nene,Gaurav Upadhyay

DOI: https://doi.org/10.1007/978-981-10-1023-1_33

2016-01-01

Abstract:The strength of the famous RSA algorithm depends on the difficulty of factoring large integers in polynomial time. Shor’s quantum algorithm has the potential to break RSA in reasonable time. Although, development and commercial availability of high power (16-qubit and more) quantum computers is still some years away, efforts in the direction of simulating quantum algorithms on a classical system are welcome. This paper presents a systematic approach in the direction of factoring integers using the Shor’s quantum algorithm on a classical system, where the results of simulation are corroborated with theoretical results.